2 Answers
2

Yes, linear cryptanalysis may still be possible, depending upon the distribution on the plaintexts and the specifics of the block cipher.

For instance, suppose we know that the plaintext is English encoded in ASCII. Then we know that the high bit of each 8-bit byte is zero. We may also know some additional linear approximations that hold on the plaintext that hold with non-zero bias. This may be enough to mount linear cryptanalysis, e.g., if you can find a linear characteristic for the whole cipher that only involves those bits of the plaintext (only the high bits of each byte) and not any other bits of the plaintext.

As I recall, there has been results showing that ciphertext-only linear cryptanalysis of DES is possible, assuming that the plaintexts are ASCII-encoded English text. This result might even have been included in Matsui's original paper on linear cryptanalysis; I cannot remember.

To apply this kind if cryptoanalysis you need to have at least few pair of plaintext-ciphertext. Without knowing plaintext you could not build correct linear expression, because you will not know where to start.
Quote from Tutorial on Linear and Differential Cryptanalysis:

Linear cryptanalysis tries to take advantage of high probability
occurrences of linear expressions involving plaintext bits,
"ciphertext" bits, and subkey bits. It is a known plaintext attack:
that is, it is premised on the attacker having information on a set of
plaintexts and the corresponding ciphertexts.